The new EU General Data Protection Regulation to be enforced in May 2018 reshapes profoundly the way personal data is defined and handled by enterprises challenging their current system landscapes, internal processes, data management practices and organizational structures. The changing dimensions of non-compliance fees, territorial reach and set of rights attributed to EU residing data subjects are revealing a new level of requirements to organizations of various sizes and business concepts.
More information on key aspects of the new regulation could be found here.
Precisely now is the right time to act and to engage into coordinated activities towards GDPR compliance. A passive attitude in such dynamically evolving legislative landscape brings significant threats to the overall business sustainability of organizations dependent on collection and processing of personal data.
This article focuses on a practical GDPR compliance roadmap design and touches on common industry misconceptions.
How the industry is preparing for this evolutionary step in the personal data regulation world?
Due to the approaching enforcement date, majority of the data-driven organizations, especially in Europe and the USA, are placing GDPR compliance strategies constantly higher on their strategic business agendas.
By exploring more precisely the frames of the new regulation enterprises are facing multiple challenging considerations in the process of designing their roadmaps to compliance. From experience, the following several questions could be outlined as common concerns across the organizations aiming for compliance reformation:
- Where is the starting point and what should be the optimal prioritization of all planned measures?
- Which function or structure is the trigger and owns the company-wide reformation of personal data handling?
- At what point external consulting services and expertise should be involved on the way to compliance?
- How to define the risk tolerance profile of the organization and what is the financial impact of all compliance efforts?
To meet these concerns a proven framework needs to be in place providing a clear path towards sustainable GDPR compliance. Current ongoing projects demonstrate that a well thought-out and effective establishment of a first wall of defense involves several universal steps as part of a logical and result-focused GDPR compliance roadmap.
From these key elements in the compliance strategy lower-level work packages and measures will be derived with varying scope encompassing documentation duties, end-consumer facing process assessments, data sources, attributes, retention periods, authorization concepts, security measure, interfaces etc. The overall success on the journey to compliance goes however far beyond technical aspects and relies strongly on the internal mindset and attitude towards personal data as a tightly regulated and highly valuable company asset. This could be achieved through effective utilization of adequate change management, training and awareness-raising methodologies.
Although GDPR is setting clear industry-wide boundaries, the journey to establishing a compliant organization is still a very individual one due to the specifics in the nature and the business concept of every company. From observations, a pair of common pitfalls could be underlined as recurring misconceptions across enterprises:
- Misconception 1: Centralization and pure top-down controlled approach ensures clear goals and the necessary transparency required for compliance success.
- In fact: With increase of the international presence of a company the complexity of the compliance project increases in parallel. Ownership per country/region allows translation of global processes into local ones and ensures higher internal commitment.
- Misconception 2: GDPR is predominantly a legal and technical project.
- In fact: Organizational measures constitute around 70% of the workload.
After starting the journey and realizing the whole way ahead most of the companies agree on a step-wise vision. A common element across organizational strategies is the focus on elimination of immediate vulnerability to GDPR standards through establishment of short-term first wall of defense accompanied by a vision for long-term sustainable compliance through core restructuring of internal business pillars: organization, processes, systems and data management.
CAMELOT as a reliable partner on your the journey towards GDPR compliance
Join the league of GDPR-compliant enterprises in a legally harmonized data privacy environment with the expertise of CAMELOT Management Consultants. We are stepping on 20 years of expertise in enterprise data management projects with unrivaled track record of success stories with predominant customer base from Fortune Global 500 players. CAMELOT’s unique value generation comes from its strong synergetic competences from Business and IT perspective. Its position on the forefront of new technologies enables simultaneously the generation of quick wins with digital use cases as well as solid strategic guidance for long-term industry flagship positioning for its customers.
Read more on CAMELOT’s service offerings for GDPR-compliance here.
The author would like to thank Aleksandra Baumann for her gracious support in creating this article.
This post is also available in: German